 Welcome everybody. My name is Mars Waldman. I work for the open source technology center Intel and I will give you a Story on how we actually wrote another wireless demon for Linux. What does what it can do and what our intentions were? As usual with my other two presentations earlier nice disclaimer I'm not repeating all of this but Linux is trademark of the new stores the Wi-Fi Association has a bunch of trademarks You can read them by yourself LT is a trademark the NFC mark is a trademark and Bluetooth is also a trademark of the blue to stick and there will be probably more But they all owned by the respective respective owners Quick about myself, I keep this really quickly. I maintain the Bluetooth stack for Linux since around 2004 So there has been a long time In that time while doing that one I've created a connection manager for Linux con man So much a network manager but has been used in actually embedded products like the nest thermostat and so on and so forth So there has been wildly used on devices that actually get out in the field and get a lot of testing We developed telephony stack that still runs in certain devices in some areas Allegedly, it is driving a bus in somewhere in Russia. So it's all good We also did a proxy demon called pack runner finding all the proxy needs and all integrated nicely And if you've any been if been to my previous presentation, there are two pieces on this one for my introduction slide I'm actually talking about these two pieces today and give you an overview on these ones. And so we will see this I joined OTC I joined Intel in 2007 So that's my 10 years running now for Intel and has been quite an interesting right and open source and what we have to be achieved by then Before I continue I want to give a little bit extra credit since this is not all my own work So Dennis Kensio and was a broski Tim Curd Raul and Matt Martino have been actually really Heavily helping us to get this code base up and running and doing fixes for The Wi-Fi stack in the nox for the kernel for the crypto subsystem and a lot of other pieces Without these people would have never been that far as we are right now. So extra credit to these guys So when I started at Intel about 10 years ago This was pretty much the basic vision that we had and we wanted to get to it So the idea was we have our hardware. We have a bunch of linux kernel drivers We have a bunch of linux subsystems or equivalent things that we want to support And this goes really from NFC to Bluetooth classic in the meantime Bluetooth low energy came along Bluetooth mesh is coming along soon 1504 have became more relevant in the later years has been a long time but with the Introduction of threat and a lot more sick be devices 1504 is more relevant than Wi-Fi of course 3g an LTE came along and so on so forth But the idea was pretty much the same we had drivers that talk to the hardware then we have subsystems Who can actually manage them and then we have a connection manager. That's where conmen came in That can handle all of these ones and expose them nicely and treat them all the same So we actually can have a unified view of them and then we have the applications Dealing with this one. So if you need an internet connectivity or anything else the application have a unified view on this one So that was the basic idea about 10 years ago how we wanted to go about this We made progress And we got to a state where this actually looks Kind on the way how we wanted it. So we have subsystems for Almost everything So we have an NFC subsystem that got created in that time We always had a Bluetooth subsystem, but it got extended with low energy support and you will see in soon also Bluetooth mesh support Once that standard gets ratified Sometime this year we have improvements for the 15.4 subsystem and seen drivers happening new hardware spins Self-built hardware new spins of that hardware and even lately a company said oh, we're gonna build this I mean here's the driver for it. We're just great We always had the wireless subsystem But that has seen also a lot of improvements over the last 10 years The only difference where we never had a kernel subsystem for is 3g and LTE And I don't think this will ever happen because these things are easier done in user space So we have a large abstraction a way to study the space That still means you have some hardware drivers like a QMI or you are drivers or with Nokia ISI or with st Ericsson. I Forgot how they're called this now That's some subsystem as well So the mini helper subsystem, but they all were hardware specific and we did the rest of the unification in user space And then we had the demons on top of it. So when I see we have the near D demon for bluesy We always have the Bluetooth demon for 3g and LTE. We had a phone or then The problem part has been always Wi-Fi since there has been WP supplicant, but that's not really a demon That's just something that implements a supplicant It does a little bit more and I get into the details So this one this slide we have the it's it's con man plus the supplicant that does a Wi-Fi But we really wanted to get to that con man Can it be doesn't have to do any Wi-Fi handling? So we in the weird spot that everybody else is nicely abstracted into other subsystem and demons But for Wi-Fi we had to go one level down and break layer separation. That's bad And obviously they're missing something for 15 or 4, but that's a little bit more early Stages we are not really there yet so What we want to be at at some point in the really future is We move this weird thing with With con man and W supplicant out of the way and we put a proper wireless demon in there That's what this talk about is how we got there and how far we are actually so the demon is called IWD I need wireless demon. We needed something short and sweet and Short never those the best we came up with and you also see that already put in what in the white box It's called note manager. It's kind of more the working title for this one We want the same thing for 15 or 4 where you're something that manages your mesh network on 15 or 4 and keeps it together So implementation of threat for example would fall in the schedule We it keeps managing our network and comment doesn't really have to only care about the IPv6 connectivity, etc So but this talk focuses on IWD I think note manager may become later this year or maybe next year depending on how we get with that one But that's not public yet Every time I had to do a new demon or start up a new project to fix something The question was really why we actually need a new demon and the fundamental problems that we ran into We couldn't fix W supplicant to become a demon as I said, it isn't actually a demon It thinks it is one, but it really doesn't do the proper job. It only does it halfway So the biggest promise persistency you kill it you start it again. It forgot literally everything what it just did Which is kind of neat if you willing me to reprogram everything in but that means someone else has to store the information for you For example, what were your keys? What were the network you just connected to and so on and so forth doesn't really work for us since everything else on an Oxide remembers thing. So if you program an access point into or what's called APN in the LTE world Into a for no it remembered so restarted a crash or anything else It will keep reminding if you pair device in blue Z for Bluetooth it remember it You don't have to remember it. So this is like why don't you just remember these information remember the keys remember the networks are joined But W supplicant refuses to do that. It really refused to do this Then you have some sort of Wi-Fi management that you still have to do Where W supplicant also? I don't really care about this go figure this out Especially when it comes to all I need to transition on this network to another one I was like, yeah You can figure this out by yourself and like now I want you to figure out I just want you to connect to these networks that I know and just tell me if you changed it But you're doing anything I want to do if I want a higher layer looking down Oh, I have to redo my IP address because I just changed the network But all the other details I don't really care about and it didn't really want to do this. It said oh someone else's problem There's also some things where then you have to go way more deeper in where you have some specific handling on oh, I'm running on on five gigahertz nor compared to 2.4 gigahertz and some other stuff we go like why do I care? And from a con man perspective we never really cared, but we had to carry these information around One thing that bugged me all the time is that the number of abstractions W supplicant has on the lower layers when it talks to the hardware are massive I mean it literally supports everything in the kitchen sink underneath and it goes like oh I can still work on OS 10. I can still work on windows I can still work on with weird embedded system that nobody heard about this and they're trying to abstract for every single hardware which goes for me is like Maybe this hardware abstraction actually causing some of the problems that we are seeing and there's still support wireless extensions Which was like why we killed that one as we not really killed it, but it's supposed to be dead since a while ago But all these Legacy or even multiple operating system causes a certain things that we have seen where you actually block Because they don't know how to handle this one Not all the interfaces are actually nicely us and croon is interfaces where you have notifications something completed or something happened Which means oh, they just sit there and wait and pondering and have you done this now? Have you done this now? Have you done this? Oh great now? I can continue It's like why don't we just tell it what to do and then when it's done It comes back to me some done with this now and in the meantime I can do something else which was is really important because we want to sleep most of the time and if you have something Actually, we actually want to do it Which is extremely sad if you have a modern Linux system where you have configurator to 11 that actually is fully Asynchronous because it uses narrowing that link and W supplicant treats it like a blocking interface and they go like Come on So this is W supplicant and We don't need most of this one. So we really want to cut down the future. So with that one. Yes We're gonna go Linux only Which is good or bad depending on what you view on this one But if you go Linux only we can make certain assumptions and how we gonna and what we can do there So if I break this down if you unfold the Swiss Army knife and it is not a complete picture what you see on the left is How W supplicant and the Wi-Fi subsystem the connection could work. That's not even complete picture There's even more in there. I could put a tons of extra rating system They are tons of extra code in there and this way there, but fundamentally what we have is you have the hardware Which is fine. You have the full Mac and the soft Mac support in the Linux kernel. It's still great You have the Mac 8 to 11 Subsystem for the soft Macs great and you have configured 11 for the configuration that abstracts the full Mac from the soft Mac Sounds all reasonable, right? But then you still have all we can expose this over netlink or we can expose the wireless extensions Well, okay fine The kernel might have to do this for background compatibility and that Linux doesn't show that you that break an existing API And so on and forth I get this and then it goes to be supplicant. Oh, we're supporting both. We're not making decisions Okay, great. So that code never went out So you can go talk to I octals with it and you talk lip and L with it Funny stuff is you have if you have things that systems then try to talk both at the same time And then it gets really confusing It's a really bad idea Then they go over you expose some API's we're not just double supplicant with units on the command line Oh, we also have a unique socket with a control interface or hold on right? We also debuts one interface. We also do a debuts to interface or we can also support by and God knows what else is in there So I was like, okay So you're trying to please everybody which is not really helping So and then obviously it runs on macOS it runs on some artists is and then it needs a couple of SSL functionality for WP enterprise and then we can do open SSL we can do TSL we have implemented on TLS and I think if you look for enough They were price. Oh, we also bought windows TLS and so on and so forth so this goes on and keeps bloating and Don't believe that you will find a release that will compile in all and possible combinations because nobody is actually testing this one Some of them they compile and you find a lot of oftentimes if you switch one option off it stops compiling Anyway, what we had to do to actually squeeze this into something usable with common and I said it's used in products like the nest and Other systems that have been heavily exposed We actually wrote something that's called G supplicant which wraps the debuts API v2 We tried the v1 one that never worked out. We tried the v2 one that actually got us somewhere closer We had to write a lot of code to actually wrap that API in Something that we could actually use in an asynchronous fashion and in the stateful and make sense of the states and make it persistent and Still failed to do everything right because we never got the right to set of information and then convent started using that one But you see it's quite big. So with that one in mind I went sit down as I said if we would do this from scratch How would this actually look like or we want to run this so assumptions we keep con men We keep the kind of Wi-Fi subsystem because that was still good and Use it so we have the same separation soft Mac full Mac Configure it to 11 and I was like, okay We're not doing wireless extensions anymore because they're blocking their eye octals. We want to do netlinks So kick that one out and then fundamentally it was really just we want IWD And we want IWD expose this over debuts and then have comment talk to it And we want to look at the same as what we do with it did with bluesy and Ophono It is stateful. It remembers the states remember the networks and member the passwords and so on and so forth. So that was the idea and With that one we put down the list how we want to do this and everybody basically Claimed we were kind of weird and trying to re-implement W. Suplicant But it's the same that we enough people keep complaining with double supplicant We keep finding finding enough errors in it and issues that even if we wanted to fix them Upstream didn't let us fix them. So we went actually can we just make them persistent? So we actually have mode where it was remember the networks. Yeah, you can do this if you do X Y Z But that's really not safe and it doesn't work this way. It's more for testing or you don't can't do this over debuts You only can do so a unique socket. Oh, I have to reload the config file and the config file format kept changing between versions And I was like, um, okay, so that's not really helping so It cost a lot of problems, but we also realized at some point is Even the kernel side has a couple of issues because W. Suplicant was the only only user of an API that the kernel exposed and We had to fix some of these things where because it operates the config age 11 Interface with net link in a blocking fashion They forgot come some of the signals that they're supposed to be sending while the documentaries and say so suppose we're happening They actually never sent them because W. Suplicant never needed them and they never bothered to fixing them So that goes for hot plug and some other things Most of this one that we have found so far we actually fixed got it upstream There's a couple of more things coming where we actually do a couple of additions to the Netlink APIs I give you an example. We have some of them where you basically if the demon dies The kernel keeps continuing. So if your demon that manages your network and manage your keys dies You actually want the kernel to take down your interface Same as if you have a if you open a socket TCP socket and the program dies the kernel closes that TCP socket for you You would expect that a netlink interface would it us exactly the same stuff Okay, my my managing demon in user space is gone. Please disconnect the station Now they keep the station up and running because you magically could find it again and continue doing it You lose you lost all your credentials. You have no idea what state you and you will never get this back So yeah, but it works for open networks great And then about us there's a few things coming where we had a couple of additions and most of the upstream There's a couple of new ones coming for Some of the SSI stuff so you can do better roaming etc the one Big thing that we had when we looked at this one. How we're gonna do this is okay. It talks to network netlink and The generic netlink libraries That you will find and use if you just naive They're all bad I'm sorry It's all bad and they've been like you can't find six or different versions of it and everybody tries to get them a little bit Smaller, but they're keeping the same API's so if you use lip and L or any variation of it one You're wasting memory left and right because they allocate humongously large buffers because they have no idea what they're doing They're also doing discovery of the netlink families so massively that You basically had everything in memory which is great if you have like a command line application executed You finish it you close it again If you have you continuously running you're consuming a lot of extra memory Interesting enough lip and L is also blocking in some areas Which is like okay We talking to an astronaut interface and you know blocking because you have no idea how to operate this and this goes on to the level that Generic netlink has the same concept that debuts Families can come and go as they like you can load a kernel module in your family comes But you can also unload and reload a kernel your family IDs are changing and you need to adapt to this one The functionality is all there to tell you about it But you actually have to know how to it works if your command line tool you don't really care You discovered your family you do you send your command after then you quit next and we do it again If you're long-running demon, and I'm talking Years not actually just a couple of hours, then that's not going to work. You have to handle these situations So with that one we said okay, we are nowhere near close to actually just go up and write IWD That's not going to work So we needed to actually take one step back and the one step back as we said okay We have so many projects that have so many common needs and we go even further with some of these We are building a library similar to glib that actually does this all for us But it doesn't in a consistent way for system level demons and the library is called embedded Linux library We open sourced it shortcut is L And we picked the word L because if you look in a dictionary it actually means an L shaped building So we have the L in there again, which is our prefix for the library and it's for Linux So it kind of came all back together from a naming perspective that kind of made sense What do you get with it? You get main loops you get signal handling your timeouts asynchronous IO Asynchronous I always built into the library in a nice way You can actually drive these things when you actually have to listen to events and want to be single-threaded Strings hash tables keys ring buffers hardware DB support if you want to be a little advanced You know the stuff that we would have to drag in from three or four different libraries We really implemented in a really small way so we can do this Which is with the obvious thing you would do if you would do something like a glib library But then I say look we putting netlink support in there So we put netlink support in there and including basic support for the route netlink supports We can do something like a psetra Well, then we also wrote a really from scratch generic that link that is fully asynchronous So it does the family discovery and tracking so that's in there as well We put KD bus support in there. Remember the time when KD bus was hip and the next big thing coming Yeah, that's still in there including G variant support for the encoding of the payloads Sadly, we actually have to remove this since KD bus is a debt project and then we're going to happen again We also put normal D bus support in there So it has a full its own D bus library in there So you don't actually need to use lip D bus or anything else of this one and again fully asynchronous Nicely maintained and really simple Logging support can be to console but also to the journal so you don't as a demon you don't have to worry about this sources you find on colonel.org In the tree have a go at it and look at it But that's we need otherwise we're not going to get anywhere So with this one with your original idea what we're going to do changed a little bit, but really not much We're just going to put L as a library in there to actually talk to netling at 11 We you have awd use it and then we also can even use it to expose D bus interface and it's awesome So that one was good great and we got awd running off the ground and could actually start doing something So we got really quickly really fast. We could now nicely scan for networks We could discover the hardware or we could do switch between active and passive scanning we to do SSID grouping for the networks and for roaming and Open network support was really fast. It's unbelievable It's within a day you can connect an open wireless network and don't really have to do much with little lines of code Was really great really excited But then we went Hold on a minute Let's try to see if we can connect to an encrypted network and then it goes like oh geez so the whole the four-way handshake is done over an ethernet port and it's Detached from config 8 to 11. So you actually have a synchronization problem, which we have been running in quite a bit Instead of just having the ethernet port go through the year netling interface No, it's you open a raw socket and talk to this one and in some cases because the kernel schedules things differently because one is actually in a Ethernet packet the other one is a netlink packet. You might get them in the wrong order. It's like so yay We have to work on synchronization between the four-way handshake and the Keys that has to be set up We need to figure out how to program the encryption keys and so on and so forth. So We needed a couple of Crypto functionality key refresh goes author user space the currency doing nothing for us and Obviously, we had no to manage the stations because we need to make sure that we can update them again With that one all okay, so we have to deal with this one fine We knew what we are getting into we deal with her on we needed cryptographic support and That's an interesting thing when you say, okay, we need cryptographic support Everybody runs to some crypto library lip crypt or a let's take open SSL that does everything for you Anyway, let's take new TLS and something like mmm. I didn't really want to so luckily the whole discussion happened with the random numbers So we actually decided let's get the random number system call into L and just use this one We knew that we were limiting to brand newer kernels But we also knew that we would take a while before this project gets public. So it's like okay fine We just deal with this one. Then we needed pretty much a SDS and arc for support Interestingly enough the AF arc interface of the Linux kernel allows you direct access to these ciphers that the Linux kernel already has and Will offload to hardware if needed so if arc is great, but if arc is not performant So if you think you can do high performance AS operations on an AF arc interface in the kernel You're paying a high penalty price with a lot of system calls Which you do so you don't want to do it, but We looked at how many AS operations we have to do for certain key exchange operations like we paying for system calls for Doing a four-way handshake is like why do I care the kernel can do this perfectly for me? That's not your bottleneck. So for us. It's fine if you want to do high performance AS operations with AF arc Don't do it if you have low performance a few AS operations This one gets you there without having to worry about it and we put that natively into L So basically open a sci-fi and say look do this and it goes to the kernel and does it And if someone wants to re-abstractive the faster user space information that can but I don't have to think about that My eyes implementation of the one that I copied is correct. So we rely on the kernel doing it We needed to do the hashes as well Originally, we would have to do the hashes manually since the kernel had no support for hashes But a little bit luckily then they came along and actually also supported the hashes way of arc So you also have the hashes available, which is kind of nice. It requires a rather recent Linux kernel But if use a distribution that updates the kernel everybody has a recent kernel right now There are few Wi-Fi specific key-divoration functions That we actually had to build by ourselves Luckily they come always test vectors, etc But we pretty much had to build these by ourselves since they are so weird on how they're defined Because the input parameters are not like one you give this is my key This is the how you derive it and then you get the output key You basically have to put in six parameters one of them being the MAC address one of them being something else And the God knows what and then they go like crazy. Okay, so we would like to offload them to the kernel We haven't figured out how because they're like way too complicated. So we did them by ourselves This work on a generic key-divoration function in the crypto kernel That's work in progress right now. I think it's pretty close to happening Sadly, we don't know how to use that done for the Wi-Fi specific ones, but for stinker ones where you actually derive Symmetric cipher from an asymmetric cipher. They work perfectly So with this one in mind we could extend this picture so we get a little bit bigger on the right side But fundamentally the only thing okay, great We don't have it at anything to IWD or anything We just put a little bit crypto support in L and that's pretty much adjust the shim for using the kernel AFL Interface in a nice way and we put this in L because if you wanted to use the AFL interface over and over again manually It drives yourself insane because it's actually a socket So using this with L it gives you a little bit extra easier way to actually use this Especially you don't need to have like one or two AS operations or if you have to do a hash You basically have your input value and then you get it back out Pretty easy works out and we had nothing to do much more and we still didn't increase IWD massive amount We increased L a little bit, but IWD still state the same size So with this one we were actually pretty happy I could do nicely W supplicant We thought we can program the keys we get the odd everything derived We ran into the problem that we had no idea on how to tell netlink to use these keys We thought we understood the documentation, but there's just a header file and we were playing wrong We had no idea to do it at what point we put in the keys what to toggle and so on and so forth Like okay, right the standard answer to this one read the source code. It's like mm-hmm. Okay fine We did we still couldn't figure out what to do in what order so it's like, okay This is not gonna help us. We have a tool that already does this so we have to understand what they're actually doing So what we did is we took the netlink monitor kernel driver I had a couple of iterations for this one to make it a little bit better But what we fundamentally ended up with we were able to write a monitoring tool for netlink 8 or 2 11 That you can start and then see exactly what happens between a demon and the kernel without actually interfacing or Ordering an extra code or doing some of the or we need to figure out At print print devs or anything else we could pretty much hook into this one save them store them and process them later So the tool is called IW mon and besides energy 11 it also can trace E up So we actually can interline the four-way handshake with the netlink 11 and we knew exactly where these race conditions between these two Sockets are happening. So that was great to see us for us to see what's going on and Believe it or not that helped so much to understand where things are going wrong One of the interesting things on this one is we also saw the things where W. Suplicant are doing things Fundamentally wrong and where it has no idea what the interface was doing. So if you see something I'm doing this to you and the current goes back No such device and you were like, did we just tell you that we took this interface away and you're still trying to use it? Why I? Didn't try to figure out the why but it was like, okay, that's kind of scary So I'd actually don't know if it's readable. I hope it's a little bit here So this is an example of how NW mon will do this it's similar to the Bluetooth monitor that we have So if some if you send a netlink message it gets marked as request this in this case It's a trigger scan so basically go start scanning and then it can be used you get it to the ISS IDs that you have in this In this case you use the test WPA Access point, please just look for this one Then you get an event that is show I'm started scanning that goes to everybody's when they tell so well I'm start a scanner and it tells you also what frequency it scans on so if you leave the frequencies out of the Request it will actually just start scanning on all of them But you can also have put the frequencies and there are requests and they will tell you what you can do Freaking the scan zone it will tell you the response at some point that goes back to the only single process requested so you have this nice way of I Get the feedback when I my request is started, but also it tells everybody else that this is actually going on so you know who's scanning This doesn't help if you have a blocking Client it misses the one in between or it overlooks it But with a fully asynchronous system You can have multiple parts of the system really acting to this or I have this response for me because I triggered it But this is the event that goes to something else Which is great and helps us with the L help does quite a lot to actually make this nice And then once you're done scanning you get the information that the new networks available and it tells you oh I scan these SSIDs are scanned on these frequencies at their new networks. Please retrieve them now And you run this just at the same time you're running the demon you can decode this one It gets funny when you actually see when W super again does some things wrong and For that one the tool is already by itself at going to this stage It's absolutely valuable if you have to do any diagnostic on a Wi-Fi network where you think something goes wrong what you don't know where So where this one in place and then finally figure out how do you have to do the key X to program the keys into the Kernel and in which order and watch bits to flip to actually make them act events on and so forth We had access point discovery We had open access point connections. We could do WPA WW pay to Work nicely we could do basic roaming since we knew when we were disconnecting then we could find it again Rescan and so on and forth and we put in a couple of experimental debuts API so we can actually trigger this and We had debugging tools so we could do the tracing nicely and easily and capture the traces store them And you can even open them in wire shark if you want to do a little more graphical analysis but more important you can actually store them in p-cap formats and then Keep sending the p-cap format around which was great when when Dennis for example did something in Austin And said look at this one. He just sent me the p-cap file and ago Yeah, that looks funny instead of having sent like text files around analyze them I could just open the binary on my side and can really go through a scroll through it and go forth and back and we had Additionally our logging for debuts engineering that link if you wanted to see if we are doing something wrong So we could actually have switch on extra debugging bands and get the messages spilled out so far Really really great. So I said, okay. This is great. We got this going and We need a little bit more complex things So interesting enough We were looking at IWD more like we shrink the code size so we can make it on Linux based IoT devices that are small if you look at IOT for IoT devices and Wi-Fi They're mostly headless and once you're in the headless case. Nobody wants to do WP to they all think oh We want enterprise Wi-Fi. So they want certificate based authentication. I was like, okay Now that gets a little more complicated. So we need X5 for 9 certificates and we need TLS And we don't want to do new TLS open SSL May need two complex APIs. They're huge. They do blocking operations for their setups And we rather have our own e-up engine integrated nice instead of just using trying to use something else. So stuck Okay, we were at a cross-point again is like what to do now and Then we ended up okay another step back and see what's going on so Interestingly enough Linux has secure boot support Secure boot means you have to deal with X5 or 9 certificates the Linux kernel also has key rings and they're pretty much as close as to a Certificate chain or CA a trust chain as you can get it and the Linux kernel is using in this way So you get your certificates you can build them in you get them from a TPM you get something else and then Oh, well, if your certificates match I keep booting and I do things The only problem is that's a kernel internal functionality. So none of this one is really exposed to user space Yes, you can load your certificates in there, but you can't create key rings that you actually can seal and Use SCAs Okay, and then you'd had no ass a operations to actually use them because you still have once your certificate You still have to turn them into a symmetric cipher from your somatic one So this is still a bit of work in progress We're not completely done with it not all of patch in the upstream But we actually have this in Martin's tree in Mads on a man Matt's tree to actually test this So if you take Matt's tree and you take an updated version of L You get full key ring support and full certificate support without having to actually go for new TLS and open SSL So you can take your certificate load it in Sign it verify it and then you get your symmetric cipher back out of it and push it back into an AS operation And that's all you fundamentally need for doing A Wi-Fi enterprise support. There's a little bit more, but this is the big main item that is getting in your way With this key handling the things we pushed into L was base 64 encoding and decoding The kind of people are a little bit stringent on which formats they're gonna accept And while I didn't want to put a base 64 encoder and decoder into L But that's what we had to do is like that's the minimum thing That's fine PM was a little bit. Oh Jesus Let me put it this way all the certificates that has really weird formats And if you dig through the IFCs or the documentation long enough, it drives you crazy then again We have as a key and key ring support now in L and actually can use as a for as a verdict ciphers and it's pretty nice TLS support we wanted in the kernel, but I think this will happen But this will take a longer row to actually get there and we are not alone with there We want this for Wi-Fi But companies like Facebook and Google want this pretty much for the enterprise site where they want to have TLS support in the kernel And I think it's going to happening for now. We have the TLS record protocol implemented in L and that's a small price to pay if the certificates are handled by the kernel I Can accept to implement TSL record protocol myself because it's a protocol We can test this we can unit test this and I have high confidence in them If I would have to redo the certificates in a user space library, I wouldn't have the high confidence But these are all low-hanging fruits that let's do them and we can get this going So we actually have TLS support in L now and you can just use it to use the talk to the W-interprise on your access point Those more change to the basic diagrams who grew a little bit bigger, but not as massively besides the F out now We actually using the key control system calls No increase to the user space except a little bit of handling and a little bit of extra protocols But it's minimal in comparison to an opposite SSL or new TLS library And we have the key control system called and we extended these ones with verify sign And so on and there's a little bit extra work coming. There's not yet merged for the sealed key rings But pretty much you would have a certificate Authority inside the kernel so the interesting part is nobody realizes with this work The key rings inside the kernel are actually share will be between processes because they have access permissions And what you could fundamentally do with this one is have system be load all your certificates at boot time Create a key ring seal it off and then hand it to every process So if your process starts it already has the certificate authority of your system available Because it's inside the kernel and you don't have to go and I have to read 300 files from this can make sure that they're all there It's one process doing one time and you can share them around It's a nice feature for that one to obviously make big use You would have to change open SSL and give you a TLS to actually use that feature and rely on that the certificates are in the kernel That's some that we're not going to do that work. I'm just putting this out That's an idea some people can work on this one But with this one in place we have EAP TLS working We have EAP TTLS working and we also then went a little bit further. Why it has nothing to do with certificates But the WPS or the automatic System for retaining the WP2 set to pass phrases We implemented that as well because we had to do the EAP engine for the enterprise ones and that one is just the EAP engine Then used a little bit differently and so we had this one as well and we got okay So we have these ones and people could actually start working on this one With that one we went a little bit further on this one as well All the protocols we put in have unit tests So everything we did as a protocol level has a unit test the massive unit tests in IWD We actually make sure that we did this right especially for the record protocol and things like that This is really important, but we also went one step further like look guys I'm cannot go around and actually test against every access point and go again So we need some level of automated testing to be ensuring that we actually keep roaming properly That we keep connecting access point that we don't break simple stuff like WP2 and so on so forth So the Linux kernel has an HW sim driver that is pretty much virtual air It emulates two or multiple cards and then pretends to be a Soft Mac and then they just keep the packets sending them left and right. So it's virtual air It's perfect obvious reasons. It has a couple of code that actually can inject errors and drop packets But it's otherwise it's gonna perfect, but that's fine. You can use it at least for testing your protocols So we built a tool for actually manning these HW sim so we can actually finally have a tool that manage them because before they had The driver kernel driver, but then also all manual setup and you actually oh, I have to create this one I have to create this one so HW sim does a lot of multiplication for you. We Duplicated in this case. We haven't really figured out how to share the code the test runner tool from Bluezy Test runner is a tool that allows you to pick a new kernel Started in KVM inject yourself and run yourself as init one and then use some unit testing on this one So it's pretty much usually existing if I this thing you have in your system and then Starts with a new kernel and you can test it And we extended that with IWU support host AP support and also the HW sim setup So you can actually say I need three Network cards that need to be connected in this way and then please execute this unit test And then you can have automated end-to-end testing really quickly and we can test most of these test cases Within a couple of minutes instead of just one spending time to the setup So that's all there and we keep improving this one over and over again We have a gacha of test scripts as with usual we did all the basic tests for manual testing in Python They're talking to the D-Bus APIs They get you going with the never nothing for production, but they get you going So with this one what we're gonna have the demon is ready. It's open source. It's ready to go Open networks WP2 and WP1 Yep TLS here TLS Wires protected setup WPS the up engine works. It's kind of nice We need to figure out how we actually extract that yep engine into something where we can also do use for wired setups And maybe move this into L or something else can be reused. We are not there yet. That's gonna happening We have roaming and fast transitions. So that's supported as well We have persistent storage so you kill the demon restarted it will find your network and connect to it So you don't really have to do anything and we have a D-Bus API that is early stages what we have it We have the tracing utility Iw mon and we have a testing frame with hw sim and test runner. We can test this and We also now have a con man plug-in The last time I gave this talk in Berlin about a couple months ago. We didn't have this con man plug-in. Luckily we have the con man plug-in now Thanks to Daniel who pushed that through and The interesting thing is when I compared the size to what we needed to with G supple Kent and the plug-in It's 10% of the code size that we had to do to actually make con man use IWD and be Connect to Wi-Fi networks. That's a massive decrease in functionality. We don't have to maintain anymore, which is great So awesome on that one With this one, I have a couple of slides on how the APIs D-Bus APIs work. They will be Stabilized eventually and we keep working on them and improving them But they're really really simple. You can inumerate your device hierarchy and tells you which cards on there So it's multiple Wi-Fi cards if you want to if you want to put 10 in the system Go ahead knock yourself out put 10 in them or more We have a network hierarchy that is pretty much simple. It tells you what the network is and you can connect to it Simple this one. We have an agent if you actually have any kind of Blue sea and or phone and all these do this is way if you want to have the user show them a dialogue to enter the Password you risk an agent and then you basically get a request for the passphrase and just send it back and then it works So it's a fully alzincron and allows nice integration with the UI We have also the one for actually what networks you know, and then you can use them and delete them So the network the API is all documented in text files, and there are few more now by now So you can work on them and this would be like a simple way of how you're gonna do it You would start IWD and then you just go list devices and will tell you when network cards in there And we'll switch device fun because it will keep scanning and find the devices for you in the background It does this all kind of in a nice fashion If you then want to connect to it you just pick out the object pass on the debug side connect to it Start a simple agent if it's encrypted and this was the case I did this testing in Berlin with a Linux network. I would have demoed this one I was well, but accident I put the wrong Wi-Fi dongle in my back And that doesn't have an upstream driver yet, and I couldn't bother to actually fix that And then you just can run DHCP test from comment on it And you get your DHCP address and it's really instantly it works really great So that's a basic way to actually test this And get on There's a lot of things to do so we we missing still a lot of things that are work on One of them is IW control so with all the other Projects we have a command line tool, so you don't have to always write a UI you have a command line tool that uses the debus API's and then you can basically go connect to this one disconnect to this one That's Happening, but I don't know when this is happening. We need a little bit more. There's some other have more high priority items So if someone's a pickup and work on this one, there's a skeleton for this one go ahead and please work on this one Connection management integration as I said we have conment support, so that's great That's really what we cared about There's no plug-in for network manager and we're not going to do this We have really no interest that conment was our main objective But if someone wants to do this I think this would be great idea to have our project to see what difference does this make if you use network manager with IWD compared to WSOPLKIN and we're almost able to get There's currently no integration with system in network D But we are looking into this one how we can actually integrate IWD with system in network D and make system D Use Wi-Fi really early on for system that actually don't use conment Um Roaming and access point steering this is really the one thing that we want to do next where we actually want to have a more Now we want to have a little more advanced roaming policy where we actually do scan networks ahead of time and see if you're around And even if you disconnect and reopen it again scan and scan your previous ones or last two or three previous ones on the Frequencies you think they are there before you go and scan your whole band This is really important for 5 gigahertz operation because the scanning on 5 gigahertz or the full 5 gigahertz band is really expensive Because it takes a long time So if you have a good idea where you are and what's around you then you can do a lot more optimized Scanning operation and connect really faster. It's all about okay. Let's get back to my original network or network that are now really fast There's a lot of things that has to work in there We have to make sure that we know which network is connected to and so on and so forth Obviously of the oldest fall case you jump on the plane in one planet and then you so in one one Continent get off the other continent These all heuristics were going to fail But if you walk from say from here to the coffee shop, it should take you literally a couple of microseconds To actually get on the right network instead of just having to waste three or four seconds to get on it or a few minutes This is also really needed for 2.4 gigahertz and 5 gigahertz operation because you want to switch between 2.4 and 5 gigahertz really fast And not wait because it causes a user experience Interference and we don't really want to do this so this is work in progress a lot of the fast transition stuff We're gonna have a couple of the eyes the eye Trigger points we don't have yet. We have patches for the inner colonel Hopefully they're going upstream soon that will actually allow you a little bit of Easier decision-making is when you're losing your signal strength, especially when you're moving We have done no offloading capabilities So a lot of hardware actually has offloading capabilities for some of the scan operations or four-way handshakes and so on and so forth They're coming so we have to catch up with this one as soon as the colonel supports it and we have hardware supports it We have to offload some of this stuff It will happen D-Bus API is currently not stable. It needs API review And we need a little bit of extra dog footing so con man is already good to have dog footing I W control would be even better to have extra dog footing The Hilton Wi-Fi just kicked me out excellent so we need a rex of dog footing on this one and It will happen and then we can make the API stable But if people have comments on this one great, please send them to the mailing list because the more comments on this one the better We don't have any fancy Wi-Fi features So one of them that has to happen eventually where where IWD and Ophon has to work together is the pass point 2.0 feature where we actually use your sim card to authenticating and in the past This hasn't been really that prominent There was a couple of awesome countries do this you find an export every now and there But it seems some of the telecos are pushing this a little bit quicker now Where you actually can then offload their Wi-Fi network to their hotspots and they're using those sim cards to authenticate I've actually never used it in a real world of users in the lab But I've seen this in real really working, but I've heard that some people have used it P2P and mirror cast Wi-Fi director mirror cast we have not looked into and I Have no idea honestly if you will so if someone wants to contribute P2P support I make it work great I have to figure out a way how but I don't know if that's the one of the main objectives Neighborhood aware networking is the next big hype thing Let's see we're not actively focused on it. There's other things to do but We're not looking into this one heavily I think before we get to any of these ones we were actually implement the access point mode So we actually have a host AP support or equivalent for this one in it So all good is available since Four or five months now It's also on kernel.org L and the crypto trees are available as well. I had Matt's tree there What we haven't done yet, and this is what we're starting pretty much probably next week or so We actually gonna start making releases of L and IWD so actually can get tar balls and build them And if someone wants integrate in the distro as well currently, it's just get trees That you can build they're really easy to build Because you have almost no dependency so L depends on nothing except your C library IWD depends on L and your C library And that's about it And IWD is also created in a way that it can have an integrated copy of L So fundamentally you can build this on a system with just having the C library So it is really has no dependency except you need to kernel that supports AFR and the key ring Key control if you want to use those features If the key rings are not there It will still work, but you will not be able to use the IWP enterprise That's about it. So With that one, I'm actually done. So do we have any questions? Go ahead So the question was do we have an offer any help so between access point mode and client mode? So right now the answers we don't have access point mode yet because there was not on a focus But once we have access point mode, yes, we will allow this You can actually operate them at the same time if the hardware supports it or allow easy switching with them So you don't have to or we need to do a load a different kernel driver or we know to lead a different firmware That's should be nobody's problem. That should be all abstracted So either we're gonna fix the kernel interface and the drivers for it or we have to figure out something else But that's the the idea, but we're not there yet So the question was how far is host AP support or access point mode support? We have zero line of code for this one But that said we have all the crypto primitives and everything else is actually there and the kernel does a lot of Work with the beacons and the actually set up so My estimators if someone really wants it They wouldn't need a lot to make this fly Because they have a lifting is get all the crypto in place so We get to this one if you want to do it before we get to it great We were happy to get external contributions Yes, please So I heard what it would take to add and then that's blank Yeah, hold on so That's a good so The interesting part is since we actually using the kernel key rings If the kernel understands your TPM or your hardware based Certificate storage you don't have to do anything. It will just work. The only thing you need to know is your key ID so PCSC 11 I Don't know with TPMs it will work Really easily PCSC 11 I frankly don't Don't know enough if we get them abstracted as a kernel driver or something similar Yeah, so W supercan uses the library that loads some module that loads something else and eventually it goes to the SIM card reader And hopefully get some credentials out of this one or whatever reader you're going to use If the kernel can't support an abstraction for this one, I don't think we're going to do it I know that a lot of people are working on TPM 1.2 and TPM 2.0 support And that one we will support Of the shelf that actually works right now if you have an RSA key infused in TPM hardware or Intel's quick assist or pick When any random hardware that actually has RSA support we can actually utilize this and we don't have to do anything for it so Buying a USB SIM card reader off the shelf and using sticking a card in there hoping to use that one to authenticate I frankly don't have any idea Interesting to look into you're more than welcome to figure something out. I Don't have a real answer for that one. We are net set on not using open SSL and new TLS So that we're dead set on that Yes, please. Oh, yeah, so WPS will work without the key ring extensions So it will work right now. You can use off the shelf 4.7 or 4.8. I think the only thing you need is one of the hashes by a fall so that works off the shelf now Any other questions? Yes, please So how is this gonna the question is how is it's gonna be any different once you have this all up and running? So the difference is that it actually will work so that sounds a bit harsh, but So then W supplicant works as well, right? We have their systems out in the wild that work and It works for a while and every now and then something goes wrong. So the problem with W supplicant is it swallows states and In some cases that has no idea what it's doing and that was our fundamental problems over there It all works you connect to it or you start from the command line or you kill it you start it again You're good, but we were envisioning something where you have to run this for Yes, and you don't want to restart the demon or kill it or Enter a sleep 5 because that's the only way to make this work So we needed something fully asked of course, which means we needed know what's happening and What we've seen W supplicant swallow states that they acknowledge this one or we coalesce all the states into one It's like to make a efficient roaming decision. We needed to know those two states before it's like why you actually did that That's we fixed and upstream W supplicant never wanted to take it. I go like now we know better Some of the things were also that Because of the swallowing of the states you actually couldn't figure out what to do next and sometimes they actually Probe the hardware so many times and didn't know why So you can say what you want while this extension was fundamentally broken Convex 8 to 11 had a couple of issues that we fixed but our besides that is actually pretty decent Wireless subsystem in the kernel that abstracts multiple pieces of hardware So when we did the testing with an upstream driver that actually has no Weird behavior and goes all the configure to them properly. We didn't have to do any hooks. Oh, this is a Intel hardware This is a Marbelle hardware. This is a guacamole. They all behave fundamentally the same And that was kind of nice because we didn't have to probe this or oh, we pull it twice Then we get the right response. No once you drive the interface correctly You get the right information the right time it can make the right decision So yes, you were able to connect but we are looking at being able to connect for a long time stay connected roam between networks and Don't have to full shut down There's a couple of things every sometimes I see when I use my MacBook somewhere and then it completely Screws itself over and you have no idea why it can reboot it and the heart with once wife a hardware loses power Then they get back into useful state But this means somewhere in the in the time they actually lost all the information they had and we're doing something weird I mean, I get rid of this one. So Yes, it will all connect but I think the experience that you get with IWD is a lot better Than you what I work in new W. Suplicant and yes, some companies made W. Suplicant Worked really well and they hammered it into shape and they tested the crap out of it But I don't want to do that I want something that just works and that's that's the fundamental idea behind it And we hope it's walla from the size point of view in the overall system because W. Suplicant itself can be compiled really tiny and they're always advertising there's so many options But you paying the price by actually putting all these abstractions and shims on top of it to make it usable So I think the whole concept will be a lot smaller and I said 10% size reduction for our con man plug-in. Yay That's already massive. I Hope that answers your question. It was a little longer winded one, but that's why we did it Yeah, I asked someone that had to feel the pain points of W. Suplicant and I think then Get this really quickly Con man did a lot of band-aids We call them G supplicant there were there were all our band-aids in that area and there were a lot of more band-aids So what Daniel said is we had what we realized That a lot of the Wi-Fi issues We had to fix them in con man because W. Suplicant was only giving us half information And it's bad when you do have guesswork when you put co-answering So I think that state transition means that but in some cases might also mean that I'm sorry. That's not deterministic. That's just wildly guessing something Play roulette. That's more reliable than actually doing that one And that's what W. Suplicant sometimes did with I just played pure lead with that and if you look down It's why I W mon is actually kind of interesting if if you want to some convince someone Take your system of W. Suplicant Take IWG compile IW mon and start it and then see how many red-lined errors You're gonna get where W. Suplicant send something to Colonel and the Colonel tells you no such interface or no such device We're like, why are you doing this? And why are you doing this six times in a row? I already told you it's not there So then you might can convince somebody it's too bad that I don't have a dongle with me that I can just use other word I would demonstrate this to you because there is to see There's another question, please. I like that term Full-time W. Suplicant babysitter. Can you repeat this again? Yeah, so The library is fine if you want to go thread it So if you are accepting the premise that you build a threaded application New TLS and open as it all we just finally put in separate sweat You're gonna go HTTPS and go to all good at golden, right? Our promise was we actually want to be single threaded fully us in Chrome And it doesn't work with open SSL and new TLS the time it sometimes takes to do some of these handshakes We can't do be something else already and be done with it So you have to if you have that premise at that point you have two choices Either you implement your own TLS library and run with it Which I really didn't want to do mainly because of all the certificate handling or you use the kernel one as we did So that's the decision you're gonna make The nice advantage is if you have a really small Linux system like less than a megabyte that does a specific job But it needs actually a WP enterprise connection You can actually use this and send your data over this one because you have your one-to-one authentication Not a shed key you have real certificates and then they can send data, and you know it's encrypted you can trust this So this would be like a small sensor big enough to run Linux And then you can just send the data and you know if you go and you don't have to worry about anything anymore And there are cases where you don't have to know TLS I've also seen cases and this is a real-life example where we have Companies that actually have new TLS in there But they don't want the memory overhead when you actually link it into your application any other application because their size Constraint and resource constraint every application individually and they go like oh, I'm if I need this application to be bigger again Because it has the new TLS library I don't want that memory overhead because I want to keep that small so I actually can make sure that I can swap this out Appropriately so there are it doesn't make always sense But there are some cases where this actually makes a lot of sense to say we're not gonna link in new TLS into every Single application and we definitely don't link in this demon because then we can size constraint the demon And we have actually seen this with con man con man actually can link against new TLS for whisper supports or hot spot Lock in and crazy stuff like that And we have companies saying no we don't want this we don't need this because we're only running in a home So we don't really want this and by the way because you did this We actually have our system manager kill that process because you actually over utilizing your resources So there are reasons for doing this one cases, but we will stay with the resistance because we would stay single credit that's the main Conceptual design that we have made and we're not gonna move in a certain because we would move away from this one We have to go multi-thread it we have to do all the locking and then the code becomes multiple to it's more complex So I rather take a hit for not using new TLS and open it all and people blame me for doing this one Then actually having to be blamed for all this deadlock somewhere That's the main philosophy behind it. I hope that explains why we insisting on this one any other questions Then thanks everybody and have a good rest of the conference one last time You